[dev.icinga.com #8994] Uncaught exception on empty session.save_path()

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/8994

Created by mfriedrich on 2015-04-04 13:20:59 +00:00

Assignee: (none)
Status: Resolved (closed on 2015-04-22 15:30:03 +00:00)
Target Version: 2.0.0-rc1
Last Update: 2015-04-22 15:30:03 +00:00 (in Redmine)

---

Problem

I am currently refactoring icinga-vagrant.git using different puppet modules. Now I forgot to properly define the php session path in these modules.

Apparently Icinga Web 2 (php-Icinga) throws an uncaught exception for that - this should be something more readable on-screen imho.

Fatal error: Uncaught exception 'Icinga\Exception\ConfigurationError' with message 'Can't save session, path '' is not writable.' in /usr/share/php/Icinga/Web/Session/PhpSession.php:82 Stack trace: #0 /usr/share/php/Icinga/Web/Session.php(32): Icinga\Web\Session\PhpSession->__construct() #1 /usr/share/php/Icinga/Application/Web.php(196): Icinga\Web\Session::create() #2 /usr/share/php/Icinga/Application/Web.php(92): Icinga\Application\Web->setupSession() #3 /usr/share/php/Icinga/Application/ApplicationBootstrap.php(335): Icinga\Application\Web->bootstrap() #4 /usr/share/php/Icinga/Application/webrouter.php(111): Icinga\Application\ApplicationBootstrap::start() #5 /usr/share/icingaweb2/public/index.php(4): require_once('/usr/share/php/...') #6 {main} thrown in /usr/share/php/Icinga/Web/Session/PhpSession.php on line 82

http://stackoverflow.com/questions/12719096/understanding-session-save-path-as-no-value-and-security

The current implementation does not respect empty values, but falls through checking an empty string for being writable.

Proposed fix

• Catch Configuration Exceptions and present them properly
• Only check writable dirs if session_save_path() is defined

This fixes the problem, for example:

        $sessionSavePath = session_save_path();
        if (session_module_name() === 'files' && defined($sessionSavePath) && !is_writable($sessionSavePath)) {
            throw new ConfigurationError("Can't save session, path '$sessionSavePath' is not writable.");
        }

Changesets

2015-04-22 15:26:15 +00:00 by aklimov 9cd7765

If session_save_path() returns '', use sys_get_temp_dir()

resolves #8994

---

Relations:

• relates #8998

[icinga-migration]

Updated by mfriedrich on 2015-04-04 13:27:15 +00:00

The test suite doesn't catch that error, it sets that to a default value.

test/php/library/Icinga/Web/Session/PhpSessionTest.php:                'save_path'     => '/tmp',

[icinga-migration]

Updated by elippmann on 2015-04-07 07:16:47 +00:00

• Relates set to 8998

[icinga-migration]

Updated by elippmann on 2015-04-07 07:19:22 +00:00

• Subject changed from _Uncaught exception on empty session_save_path() _ to _Uncaught exception on empty session.save_path() _
• Target Version set to 2.0.0-rc1

The proper fix here is to set the $sessionSavePath to sys_get_temp_dir() if it's the empty string before checking whether the path is writable. I added a related issue for the insecure path part. Thanks for the report Michi.

[icinga-migration]

Updated by aklimov on 2015-04-22 15:30:03 +00:00

• Status changed from New to Resolved
• Done % changed from 0 to 100

Applied in changeset 9cd7765.